The scenario may be the following: I have to execute a federated authentication of the user (which utilizes his college account) in to the Sharepoint site of his college and also to obtain both FedAuth and rtFa cookies (which i've to pass through to SharePoint REST webservices to be able to access sources).
I made some attempts but there's a minimum of a problem in every one:
1) Using Microsoft.SharePoint.Client library
By doing this I get the FedAuth cookie but I'm not able to obtain the rtFa cookie .
How do i obtain the rtFa cookie at this time? Can One intercept the HTTP request involved with this kind of operation (i.e. context.ExecuteQuery()) -- which presumably offers the rtFa cookie within the headers? Or, can one obtain the rtFa cookie by only leveraging around the FedAuth cookie?
2) Using MsOnlineClaimsHelper
This can be a assistant class that exist on the web (e.g. here blog.kloud.com.au/tag/msonlineclaimshelper/ ).
These kinds, because it is, works together with normal authentication but fails with federated authentication .
And So I adjusted it to make it operate in this situation. As lengthy when i understand, the steps would be the following:
- Authenticate using password towards the STS ADFS service from the college (the "federated party" or even the ISSUER) -- here the Relying Party is Sharepoint O365 STS ("https://login.microsoftonline.com/extSTS.srf ")
- When the auth succeeds, I recieve back a SAML assertion that contains the claims along with a security token
- Now, I authenticate towards the SharePoint site by passing the safety Token
- When the token is recognized, I recieve back an answer containing the 2 cookies (FedAuth and rtFa)
I'm not a specialist within this matter, and that i announced the next code:
This is actually the code that calls the technique above and then try to get FedAuth and rtFa from credentials in 2 steps (step one: get SAML token from Federated Party step two: pass token from Federated Party to Sharepoint):
I got back a SAML token in the college STS. However, when parsed, the resulting SecurityToken doesn't have security keys (i.e. the SecurityKeys collection is empty)
Without any keys, I recieve on GetO365BinaryTokenFromToken() however when I attempt to transmit the token towards the SharePoint Authentication service -- I recieve the next error: "The signing token Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityToken doesn't have keys. The safety token can be used inside a context that needs it to do cryptographic operations, however the token contains no cryptographic keys. Either the token type doesn't support cryptographic operations, or even the particular token instance doesn't contain cryptographic keys. Look at your configuration to make sure that cryptographically disabled token types (for instance, UserNameSecurityToken) aren't specified by a context that needs cryptographic operations (for instance, an endorsing supporting token)."
I believe there are several configuration problems that I am unable to control directly, on sides (the college STS ADFS and also the Sharepoint STS).
Hopefully more expert people will bring clearness within this process as well as provide advice to really get this to scenario work.
File download function
Using the following function, I can download personal files (given an URL for example https://myfederatedparty.sharepoint.com/sites/MYSITE/path/myfile.pdf ) by issuing Both FedAuth and also the rtFa cookie. If I don't pass the rtFa cookie, I recieve an "Unauthorized" response.
Actually, only FedAuth cookie is required with regards to SharePoint Online/Office 365 authentication.
The FedAuth cookies enable federated authorization, and also the rtFA cookie enables signing the user all SharePoint sites, whether or not the sign-out process starts from the non-SharePoint site.
So, it is sufficient to provide SPOIDCRL HTTP header to be able to perform authentication in SharePoint Online/Office 365, for instance:
The next examples helps guide you to do active authentication in SharePointOnline/Office 365 by supplying FedAuth cookie.
Example 1: Retrieve FormDigest via SharePoint 2013 REST API (uisng MsOnlineClaimsHelper class )
Example 2: Retrieve FormDigest via SharePoint 2013 REST API (using SharePointOnlineCredentials class )
The modified form of the instance for installing personal files:
My concern is that whenever I attempt to download personal files from sharepoint (by performing an HTTP request via HttpClient for an URL for example link ), the fact is effective Only When Provided Both FedAuth and also the rtFa cookie. The FedAuth isn't sufficient. Thus, I must obtain the rtFa cookie OR made that request work without them. Ps: I don't understand what a FormDigest is. metaphori August 29 '14 at 12:36
Really, when i effectively were able to DOWNLOAD personal files using both FedAuth and rtFA, switched up attention as to the I figured was the origin from the issue: the lack of ability to obtain the rtFa cookie. I'll update my question. metaphori August 29 '14 at 12:57